Be Excellent To Each Other

And, you know, party on. Dude.

All times are UTC [ DST ]




Reply to topic  [ 25 posts ] 
Author Message
 Post subject: API Authorisation
PostPosted: Wed Nov 30, 2016 8:27 
User avatar

Joined: 31st Mar, 2008
Posts: 8655
Hello hive mind, can you do my job for me please? :p

We have a piece of software that automatically authorises as the logged in user (I am aware of things like Kerberos and NTLM, but this isn't exactly my area), it's also integrated with Microsoft CRM (4.0 near-end-of-life software fans), so I'm not sure if it in some way piggybacks off that authorisation (ignore all this, like I say, I don't really know what I'm talking about).

Anyway, the providers of said software have recently told us about their API, which supports a series of HTTP GET and POST requests to get data in and out of the system. Each of these requests requires a valid token to authorise the request. You get a token by submitting a POST request with the valid credentials of the user that you want the token for (ie, their windows login details) - in the body of the request. So, my hopes and dreams for the API, were to write something that would automatically authenticate as the current user, and then allow them to do stuff in the system, but I've hit a bit of a stumbling block with the token as the only way I appear to be able submit credentials is in the body of the request, and understandably, there doesn't seem to be a way to get someones password and use it in this way.

I spoke to the author of the API and they basically said they didn't use it like that and suggested prompting for a password, although I'm waiting for a response from our IT to see what they think about me writing something that asks people to enter their windows passwords (I've promised not to log them all to a file buried on the network).

So, am I being stupid, are they being stupid, or do I just have ridiculous expectations of what I should be able to do with an API?


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 8:40 
User avatar
Paws for thought

Joined: 27th Mar, 2008
Posts: 17161
Location: Just Outside That London, England, Europe
I believe our work gets around this kind of thing with single sign on , but I'm no expert. (and they recently broke that anyway so I have to put in my password so the time.)


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 8:48 
User avatar
Unpossible!

Joined: 27th Jun, 2008
Posts: 38667
Same here. The university uses a "Shibboleth" system with a single login authorising you for dozens of systems.

No idea how it works though. It's all tied to the domain


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 9:19 
Awesome
User avatar
Yes

Joined: 6th Apr, 2008
Posts: 12340
If you're sending to a third party to get a token, they can't be authenticating against your AD logins, can they? So you need to send a password that matches the credentials they're expecting their end.

_________________
Always proof read carefully in case you any words out


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 10:45 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
That really shouldn't ever be how AD authentication works. Passing the password in the request body? That's broken and wrong.
What'a the web server it's running against?

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 11:08 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69725
Location: Your Mum
Cras wrote:
That really shouldn't ever be how AD authentication works. Passing the password in the request body? That's broken and wrong.

https://en.wikipedia.org/wiki/Basic_acc ... entication

Except I'm almost sure it won't be the Windows login details - it'll be the details of that user that are stored at the API end. You could set that up silently for them.

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 11:26 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Grim... wrote:
Cras wrote:
That really shouldn't ever be how AD authentication works. Passing the password in the request body? That's broken and wrong.

https://en.wikipedia.org/wiki/Basic_acc ... entication

Except I'm almost sure it won't be the Windows login details - it'll be the details of that user that are stored at the API end. You could set that up silently for them.


That's not in the request body, that's in headers. There's a solid chance that it will be an AD user at the far end, if it's designed that way. If it is though, and it's IIS, well that's why integrated auth exists.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 11:41 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69725
Location: Your Mum
Cras wrote:
Grim... wrote:
Cras wrote:
That really shouldn't ever be how AD authentication works. Passing the password in the request body? That's broken and wrong.

https://en.wikipedia.org/wiki/Basic_acc ... entication

Except I'm almost sure it won't be the Windows login details - it'll be the details of that user that are stored at the API end. You could set that up silently for them.

That's not in the request body, that's in headers.

In the grand scheme of things that doesn't make much difference.

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 11:42 
User avatar

Joined: 30th Mar, 2008
Posts: 14380
Location: Shropshire, UK
Cras wrote:
Passing the password in the request body? That's broken and wrong.

Damn straight. Even in the headers is bad enough, at least give each user some sort of API access password that is only used to get a token from the API rather than sending their full account password over the air, goddamnit.


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 11:44 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69725
Location: Your Mum
GazChap wrote:
Cras wrote:
Passing the password in the request body? That's broken and wrong.

Damn straight. Even in the headers is bad enough

There's no difference!

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 13:03 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Except that passing www-authenticate headers means they can be processed automatically by the web server. Passing them in the post body means you have to manually take them and use them in code to authenticate.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 13:39 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69725
Location: Your Mum
Yes, but that's their end. Give a fuck about their end. Neither way is more secure.

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 13:42 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Grim... wrote:
Yes, but that's their end. Give a fuck about their end. Neither way is more secure.


You give a fuck about their end because they're your credentials.

It's always going to be more secure to use built-in auth functions that have been tested to destruction all over the place than to roll your own custom code for it.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 14:31 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69725
Location: Your Mum
I was thinking more about during transit. Don't forget there's nothing stopping them getting their hands on the headers.

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 15:27 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
Grim... wrote:
I was thinking more about during transit. Don't forget there's nothing stopping them getting their hands on the headers.


If you're logging in, I'm assuming it's SSL protected in transit. If not, burn the whole fucking thing down.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 16:07 
SupaMod
User avatar
Est. 1978

Joined: 27th Mar, 2008
Posts: 69725
Location: Your Mum
Cras wrote:
Grim... wrote:
assuming

When you ASSume, I put my DICK in your mums ASS.

Or something.

_________________
Grim... wrote:
I wish Craster had left some girls for the rest of us.


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 16:40 
User avatar

Joined: 31st Mar, 2008
Posts: 8655
Cheers guys, I barely understand anything you've said, other than it's a shitfest, but I kind of suspected that anyway.


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 16:52 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
What is it built on, Joans? What's the webserver?

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 17:12 
User avatar

Joined: 31st Mar, 2008
Posts: 8655
IIS.

I've got access to the server if anyone wants me to break stuff.


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 17:33 
User avatar
Unpossible!

Joined: 27th Jun, 2008
Posts: 38667
IIS? Blimey


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 18:45 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
If it's IIS then turn on integrated authentication for the virtual directory the API uses and see what happens.

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 20:05 
User avatar

Joined: 31st Mar, 2008
Posts: 8655
Er, how do I do that?
If I go to the site in IIS, and view virtual directories, there are none.


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 20:07 
User avatar

Joined: 31st Mar, 2008
Posts: 8655
I tried enabling Windows Authentication earlier, but that didn't seem to make any difference (or I don't know how to request a token properly).


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 20:25 
SupaMod
User avatar
Commander-in-Cheese

Joined: 30th Mar, 2008
Posts: 49244
if there's only one top level site and you've tried it with integrated auth turned on, then they're doing something weird and they'll have to try and tell you what's needed, sadly :(

_________________
GoddessJasmine wrote:
Drunk, pulled Craster's pork, waiting for brdyime story,reading nuts. Xz


Top
 Profile  
 
 Post subject: Re: API Authorisation
PostPosted: Wed Nov 30, 2016 20:31 
User avatar

Joined: 31st Mar, 2008
Posts: 8655
There are loads of sites (on the left), but the one relating to the api doesn't have anything listed under view virtual directories. If that's where I'm supposed to be looking?


Top
 Profile  
 
Display posts from previous:  Sort by  
Reply to topic  [ 25 posts ] 

All times are UTC [ DST ]


Who is online

Users browsing this forum: Columbo, Kern and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search within this thread:
You are using the 'Ted' forum. Bill doesn't really exist any more. Bogus!
Want to help out with the hosting / advertising costs? That's very nice of you.
Are you on a mobile phone? Try http://beex.co.uk/m/
RIP, Owen. RIP, MrC. RIP, Dimmers.

Powered by a very Grim... version of phpBB © 2000, 2002, 2005, 2007 phpBB Group.